Clientless SSL VPN on Cisco IOS Router
Clientless SSL VPN¬†allows a user to securely access resources remotely using a SSL-enabled web browser. This is a step-by-step guide to setup Clientless SSL VPN (WebVPN) on Cisco IOS router. Each SSL VPN Gateway requires a license to serve SSL Clients. Cisco provides a two-user complimentary license on the supported routers. If more users are required to be served by SSL Gateway, licenses need to be purchased.
The Clients’ web-browsers (ex- Mozilla Firefox, IE8, etc.) must support SSL. Latest SSL protocols supported are SSLv3 and TLSv1.0.
Step 1: Setting up User Authentication
Clients must authenticate themselves to either local database or an authentication server, like RADIUS or TACACS+, on the SSL Gateway. This setup will use RADIUS Server. The Cisco router is configured for AAA as follows:
Setting up user authentication
This step is highly recommended that the Cisco IOS router be synchronized with the CA server before obtaining a digital certificate. The¬†ntp authenticateand¬†ntp authentication-key¬†commands are optional for authentication with NTP server.
Configuring NTP on Cisco router
Step 3: Enrolling Digital Certificates
Since Cisco IOS router does not have any in-built certificate that the HTTP secure-server can use during SSL Handshake negotiation, this step involves obtaining a certificate. There are 2 ways to obtain a certificate-
The first method is that the Cisco IOS router generates its own certificate and signs it as being valid. This is also called¬†self-signed certificate. This type of certificate has limited usage, because if the router reboots, the certificate is lost and the router has to generate a new certificate. This also causes the Client to accept this new certificate as being valid.¬†Persistent self-signed certificate¬†survive router reloads as it is stored in NVRAM.
The second method involves obtaining a certificate from a CA Server (Certificate Authority). A Certificate Authority is a trusted entity which issues digital certificates for use by other parties. Examples of commercial CAs are Verisign, Entrust, etc. Microsoft Server 2003 can also act as a CA Server.
The Cisco IOS router obtains a digital certificate with a manual enrollment (copy and paste) or an automatic enrollment method using¬†SCEP (Simple Certificate Enrollment Protocol)¬†protocol. We will use automatic enrollment with Microsoft Windows Server 2003 using SCEP. SCEP must be running on Server 2003. Obtain¬†cepsetup.exe¬†file from¬†Microsoft’s website¬†and execute it on Server 2003. Cisco IOS supports SCEP.
To obtain a certificate from the CA Server, the following sub-tasks must be completed.
Step 3.1: Generate RSA keys
RSA keys are generated in pairs- one Public RSA key and one Private RSA key. There are two types of RSA key pairs-¬†special-usage keys¬†and¬†general-purpose keys¬†(default).
The special-usage keys generate two key pairs- one pair will be used for any IKE policy that specifies RSA-signature as authentication method. The second pair will be used for any IKE policy that specifies RSA-encrypted keys as the authentication method..
The general-purpose keys generate only one key pair. This pair will be used for any IKE policy that specify either RSA-signature or RSA-encrypted keys as the authentication method.
Before an RSA key pair can be generated, the¬†hostname¬†and the¬†domain-name¬†must be configured on the router. Then¬†crypto key generate rsacommand can be used to generate the RSA key pair.
Generate RSA key pair
When the Cisco router sends a request to the CA Server for a certificate, it will also include the RSA Public key generated using this command.
It is important to store the configuration to NVRAM at this stage, because the RSA keys can be lost if the router reloads. Hence, we perform¬†copy run start¬†command at this stage.
The¬†show crypto key mypubkey rsa¬†command shows the Public keys associated with the Cisco router.
show crypto key mypubkey rsa
A trustpoint is a CA server who we trust to obtain a digital certificate. The¬†crypto pki trustpoint¬†command enables us to configure all necessary certificate parameters. This is used because a Cisco router can enroll with multiple CA servers using different RSA key pairs.
We will use the automatic enrollment method with Windows Server 2003 using SCEP. The manual enrollment is done using¬†enrollment terminal¬†command. The self-signed certificate can be generated using¬†enrollment selfsigned¬†command.
Creating a trustpoint
Step 3.3: Obtaining a CA Certificate
This step is to request a CA certificate before requesting an Identity Certificate. The CA certificate contains the RSA Public key of the CA Server, followed by the Digital Signature of the CA Server.
The¬†crypto pki authenticate¬†command is used to import the CA certificate.
importing CA certificate
As seen above, the router prompts us whether to accept the CA certificate. Once agreed, all the certificates from this CA Server will be accepted by this router.
Step 3.4: Obtaining an Identity Certificate
This step is to request an Identity Certificate for the router itself from the trusted CA server in the previous step. The¬†crypto pki enroll¬†command causes the router to generate an identity certificate request and send to the CA server.
While obtaining the Identity Certificate, the router prompts for a “password”. This password should match to the one-time password generated when opening the url¬†http://192.168.1.9/certsrv/mscep.
Obtaining an Identity Certificate for the router
!-- The¬†show crypto pki certificates¬†command shows the certificates (CA and Identity) available on the router.
SSLGateway# show crypto pki certificates
In SSL VPN, the Cisco router acts as a proxy between Client with SSL-enabled web browser and the resources on the internal network. The VPN sessions terminate at the SSL VPN Gateway’s public IP address. All VPN users point their web-browser to this public IP address. In IOS, this can be configured usingwebvpn gateway <Gateway_name>¬†command.
SSL VPN Gateway
Gateway:¬†The¬†Gateway_Name¬†has only local significance and is used to define an instance that is mapped to the SSL VPN context to terminate user sessions.
IP Address:¬†This is the public IP address at which all VPN sessions terminate. The port number is 443 for HTTPS.
Trustpoint:¬†The certificate associated with this trustpoint will be used during negotiation with VPN Clients.
HTTP Port Redirect:¬†This is used if a VPN Client initiates an HTTP connection rather than HTTPS connection. The router will automatically redirect HTTP connection port 80 to HTTPS connection port 443.
inservice:¬†This enables the SSL VPN Gateway definition.
The actual user sessions are established to the SSL VPN context using the SSL VPN Gateway definition configured in Step 4. It includes all the policies that can be applied to a user or a group of users. It also includes authentication that performs the actual user authentication. It is configured using¬†webvpn context <Name>¬†command.
SSL VPN Context
Gateway:¬†This maps to the previously configured (Step 4) SSL VPN Gateway.
Authentication list:¬†This defines the authentication method for VPN Clients.
Maximum Number of Users:¬†This is used to limit the number of users that can use the SSL VPN service.
inservice:¬†This enables the SSL VPN Context definition.
Step 6: Configuring SSL VPN Group Policies
A group policy is a set of common parameters that an SSL VPN user inherits during tunnel negotiations. These parameters include ACL, session timeout, banner, port-forwarding, etc. Only one group policy can be applied to a user, also known as¬†default-group-policy.
Remote users can use SSL VPNs to browse their internal websites and Outlook Web Access. These are also called¬†Bookmarks. This can be configured using the¬†url-list¬†command under webvpn context. The actual URL is identified using¬†url-text¬†command.
After defining the URL-List, the next step is to map these definitions to appropriate group policy.
Configuring SSL VPN Group Policy
When the user first initiates an HTTPS connection to the router using¬†https://172.27.1.2¬†from his web-browser, he will receive the following page.
This is due to the fact that the Mozilla Firefox does not have Windows Server 2003 as a trusted CA Server. We can accept this Certificate by clicking on¬†I Understand the Risks. This takes us straight to the SSL VPN service page prompting for a¬†username¬†and¬†password.
Once successfully logged in, the user is presented with a custom page belonging to a particular group-policy. The user can now access the internal website.
The following output shows a successful webvpn session with the user¬†[email protected]